Configuring a Static MAC Address Entry
MAC addresses and interfaces are bound statically in static MAC address entries.
Context
A switch cannot distinguish packets from authorized and unauthorized users when it learns source MAC addresses of packets to maintain the MAC address table. Therefore, if an unauthorized user uses the MAC address of an attacker as the source MAC address of attack packets and connects to another interface of the switch, the switch will learn an incorrect MAC address entry. As a result, packets destined for the authorized user are forwarded to the unauthorized user. To improve security, you can create static MAC address entries to bind MAC addresses of authorized users to specified interfaces. This prevents unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
- A static MAC address entry will not be aged out. After being created, a static MAC address entry will not be lost after a system restart, and can only be deleted manually.
- The VLAN bound to a static MAC address entry must already exist and be assigned to the interface bound to the entry.
- The MAC address in a static MAC address entry must be a unicast MAC address, and cannot be a multicast or broadcast MAC address.
- A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packets with flapping static MAC addresses.
Procedure
- Run:
system-viewThe system view is displayed.
- Run:
mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
For details on how to configure a static MAC address entry for a VSI, see mac-address static vlanif and mac-address static vsi.
